sigmahighHunting

Exchange Set OabVirtualDirectory ExternalUrl Property

Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log

MITRE ATT&CK

persistence

Detection Query

keywords:
  "|all":
    - Set-OabVirtualDirectory
    - ExternalUrl
    - Page_Load
    - script
condition: keywords

Author

Jose Rodriguez @Cyb3rPandaH

Created

2021-03-15

Data Sources

windowsmsexchange-management

Platforms

windows

References

https://twitter.com/OTR_Community/status/1371053369071132675

Tags

attack.persistenceattack.t1505.003

Raw Content

title: Exchange Set OabVirtualDirectory ExternalUrl Property
id: 9db37458-4df2-46a5-95ab-307e7f29e675
status: test
description: Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log
references:
    - https://twitter.com/OTR_Community/status/1371053369071132675
author: Jose Rodriguez @Cyb3rPandaH
date: 2021-03-15
modified: 2023-01-23
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    product: windows
    service: msexchange-management
detection:
    keywords:
        '|all':
            - 'Set-OabVirtualDirectory'
            - 'ExternalUrl'
            - 'Page_Load'
            - 'script'
    condition: keywords
falsepositives:
    - Unknown
level: high